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Chapter 1 MAC Access-List Configuration 


Access-list configuration includes: 
e Creating MAC access-list 
e Configuring items of MAC access-list 


e Applying MAC access-list 


1.1 Creating MAC Access-List 


A MAC access-list must be created first before applying it on the port. When a 
MAC access-list has been created, it enters MAC access-list configuration mode, 
under which items of MAC access-list can be configured. 


Enter privilege mode and use the following steps to add or delete a MAC 


access-list. 
Command Purpose 
configure Enters the global configuration mode. 
[no] mac access-list name Adds or cancels a MAC access list 
Name stands for the name of mac access list 


1.2 Configuring Items of MAC Access List 


In MAC access-list configuration mode, specify to permit or deny any source MAC 
address or a specific host source MAC address and any destination MAC address. 
The same items can be configured in a MAC access list only once. 


If there is no permit any any or deny any any in the access list, one command 
"deny any any" will be automatically applied in the end. 


Enter MAC access list configuration mode and use the following steps to set MAC 
access list entry. 


Command Purpose 
[no] {permit | deny} {any | host | Adds/deletes a MAC access list entry. You 
src-mac-addr | src-mac-addr | can repeat this command to add/delete 
src-mac-addr-mask} {any | host | multiple MAC access list entry. 
dst-mac-addr | dst-mac-addr ; 
dst-mac-addr-mask } [arp [any | Any means match with any MAC address; 
src-ip-addr} {any | dst-ip-addr }] || src-mac-addr stands for source MAC address; 
ethertype] 


src-mac-addr-mask stands for source MAC 
address mask; 


dst-mac-addr stands for destination MAC 
address; 
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dst-mac-addr-mask stands for destination 
MAC address mask; 


arp stands for matched arp packet; 


Src-ip-addr stands for source ip address stands 
for source ip address; 


dst-ip-addr stands for the destination ip 
address; 


ethertype stands for type of the matched 
Ethernet packet 


exit Logs out from the MAC list configuration 
mode and enters the global configuration 
mode again. 

exit Goes back to the EXEC mode. 

write Saves the settings. 


MAC list configuration example 


Switch_config# mac access-list 7 
Switch-config-macl# permit host 7.7.7 any 
Switch-config-macl# permit host 2.2.2 any 


The above configuration is to compare the source MAC address, so the mask is 
the same. The configuration is successful. 


1.3 Applying MAC Access List 


The created MAC list can be applied on any physical port. Only one MAC list can 
be applied to a port. The same MAC list can be applied to multiple ports. 


Note: 


MAC access list cannot be applied on the ONU port. Refer to "ONU Management 
Configuration" for the configuration mode of ONU port. 


Enter the privilege mode and perform the following operation to configure the MAC 


list. 
Command Purpose 
config Enters the global configuration mode. 
interface g0/1 Enters the to-be-configured port. 
[no] mac access-group name [egress] Applies the established MAC access list to 


an interface or cancel a MAC access list 


which is already applied to an interface. 
Name stands for the name of access list 


Egress means the role on the egress 


direction. 
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exit Goes back to the global configuration 
mode. 

exit Goes back to the EXEC mode. 

write Saves the settings. 


MAC access list can also be applied in the global mode. MAC access list in the 
global mode functions on all ports. 


Enter the privilege mode and perform the following operation to configure the MAC 
list. 


Command Purpose 


configure Enters the global configuration mode. 


[no] mac access-group name [egress | | Applies the established MAC access list to 
vlan {WORD | add WORD | remove | an interface or cancel a MAC access list 
WORD}] which is already applied to an interface. 


Name stands for the name of access list 


Egress means the role on the egress 
direction. 


Vian: The access list is applied in ingress. 
word applies to vian range table 


add: add vian to the range table of the 
applied vian 


remove: remove vian from the vian range 


table 
exit Goes back to the EXEC mode. 
write Saves the settings. 


